SSL certificate issues
- Web server issues
- Passphrase protected keys
- Certificate and key encoding
- Matching certificates and keys
Installing SSL certificates on your Cloud 66 stack is very easy: copy the key and certificate and paste them into the SSL certificate dialog. Cloud 66 then automatically transfers the certificates to all of your frontend servers and configures the web server to use them.
However, you always need to have the right SSL certificates and keys to use. Specifically, your SSL certificates need to:
- Be input correctly for Nginx to start
- Have no passphrase
- Have the correct encoding
- Match each other
Web server issues
If you’ve added your SSL certificate through the Cloud 66 UI and your web server has stopped serving content, it’s likely that there’s some error with your SSL certificate. In this case, it’s best to SSH to your server and run
sudo service nginx restart, which should highlight the error.
Passphrase protected keys
You cannot use passphrase protected SSL certificate keys with Nginx. Using passphrase protected certificate keys will cause Nginx to prompt for the manual entry of passphrase at restart which will break the automatic deployment flow (and restart of Nginx after a server restart).
The symptoms of this is that your deployment gets stuck in the Restarting Nginx step.
You can simply use a non-passphrase-protected version of your SSL certificate key when adding an SSL key to your stack. Use the following command to do it (on your development computer):
$ openssl rsa -in private_key_with_pass_phrase -out private_key_without_pass_phrase
You will be prompted for your passphrase and the output will be generated after that.
Certificate and key encoding
Certificates and key files need to have only a new line character at the end (instead of both new line and carriage return characters). To see if that’s the case, you can open them in a text editor like TextMate and show the invisible characters.
This is an example of a wrong line ending:
Matching certificates and keys
This problem usually manifests itself as the following error when starting nginx:
nginx: [emerg] SSL_CTX_use_PrivateKey_file("FILE.key") failed (SSL: error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch
To make sure your key and certificate match correctly, use the OpenSSL commandline tool like this:
$ openssl rsa -noout -modulus -in FILE.key $ openssl req -noout -modulus -in FILE.csr $ openssl x509 -noout -modulus -in FILE.cer
If everything matches (same modulus), the files are compatible. If not, one of the file is not linked to the others.